A Data Standards Weblog

1 entry categorized "Cyber Crime"

Wednesday, 29 June 2011

Following a series of well publicized data breaches, cyberinsurance is big business. A company's costs can soar after a data breach - not necessarily because of direct consequences of the breach itself, but because of the spike in customer queries. Organizations need cover for both direct losses and business disruption. Business Insurance magazine reports:

"Aon’s Mr. [Kevin] Kalinich said fewer than 5% of data breaches lead to costs of more than $20 million, and yet more and more companies are seeking to be insured for that and more to protect themselves against the shifting risk. Large customers are going to extremes, taking out coverage for data breach liabilities of as much as $200 million, while also taking $25 million deductibles to keep their premiums down."

The cyberinsurance market is heading for prime time. But: "What is missing from the equation, however, is standards. Insurers can try to standardize the risk from hacking attacks, but cyberinsurance still is not auto insurance, where carriers can make their customers wear seat belts as a condition of a policy."

I can hear some people saying: They're talking about a different kind of standard, not a data standard... The ACORD community shouldn't get all fired up because the word "standards" has been mentioned - data standards should wait on business definitions.

But that's not right. The standards the ACORD community creates are business standards. They're standards that get actualized as collections of bits and bytes. But they're not a whole other species. They are business definitions.

Think about it: How will the industry standardize the concepts, relationships and parameters needed to productize cyberinsurance, so that carriers can rate products correctly and customers can understand value? Everyone with an interest in the development of the business needs to express their needs, and understand the perspectives of others. They then need to agree on a common language for the domain.

This, I submit, is exactly what ACORD does. That the results of these deliberations is expressed in message standards, forms and data models is a technicality. (A technicality that means agreed standards can be immediately implemented by the industry.) If you know of a better way to meet this latest need of the insurance industry, I'd like to know what it is. What do you think?

ACORD LOMA DAILY NEWS

New Book

My latest book presents the challenges members face when adopting industry standards as well as the opportunities that come as a result. It features my discussions with many people over many years and follows the foundation I set in my first book "The Business Information Revolution".

Industry standards are never adopted in a vacuum. They become part and parcel of all the trials and tribulations managers face in their day to day work. ACORD Standards are always part of a larger software development project that brings along people, priorities and politics. Adopting industry standards isn't simple, but the benefits far outweigh the problems of building and maintaining proprietary alternatives.

I trust that you will appreciate my frankness, identify with some of the challenges and learn from what others have done to pave the way.

Previous Book

This is a PDF version of my book. You have my permission to view, save and print copies for your personal use. Use your browser "Back" button to return to the blog after you visit or print a chapter. If you want a clean copy, it's available at the Amazon bookstore.